How does everyone here control ActiveSync access to Exchange to ensure users are on Meraki and not manually entering their ActiveSync server settings? Right now we are controlling access by manually auditing compliant Meraki devices against Exchange ActiveSync devices but it's time consuming and not 100% accurate since there is no attribute that both Meraki and Exchange expose which can be used as a key field.
I have worked with a different MDM provider that had a proxy which sat between Exchange and the Internet and only allowed managed devices through but Meraki doesn't seem to have this.
We quarantine all new devices on Exchange and confirm they are compliant on Meraki before we authorize them, but some users have figured out that they can remove Meraki right after doing this. They then add back the ActiveSync connection manually. The device is already authorized in Exchange so they get their mail without the device being fully managed. Users are allowed more than one device, so I can, through a very manual process, reconcile the number of compliant devices a user has on Meraki against the number of devices they have on Exchange but there is no key field in the data from Meraki that can be used to explicitly identify the same device on both Meraki SM and in Exchange.
According to the Apple developer docs, there is an attribute, EASDeviceIdentifier, which is the DeviceId for Exchange and should be accessible via MDM. If Meraki SM passed this through via the web interface or API, it could be used to reconcile compliant devices against Exchange. It is documented on the page below.
Are the users mostly connecting via WiFi? If so, configure the WiFi to only allow devices with the Systems Manager installed. If they don't have it on their mobile device it makes you install it to continue on.
You could look into setting up client certificate authentication. This would require generating certificates for your device owners, which allows you to only authenticate devices enrolled in SM and assigned to your owner entries in Dashboard.
This is one solution I have looked into and, while I could automate the process of generating carts for the users, I would need to manually manage assigning the certificates to each owner/device. Is there any (semi)automated way of assigning certificates to users through Meraki?
I actually tried this, unsuccessfully. I signed the Meraki CA cert so internal systems will recognize the SCEP certs as valid. The problem is there is no way, that I'm aware of, to associate the SCEP cert with the user account so Exchange could use it for authentication.